mirror of
https://github.com/ansible/ansible-documentation.git
synced 2026-03-27 13:28:51 +07:00
Don Naro
@@ -107,39 +107,11 @@ For more details, please refer to the `Hotfix document <https://support.microsof
|
||||
|
||||
WinRM Setup
|
||||
```````````
|
||||
Once Powershell has been upgraded to at least version 3.0, the final step is for the
|
||||
WinRM service to be configured so that Ansible can connect to it. There are two
|
||||
Once Powershell has been upgraded to at least version 3.0, the final step is to
|
||||
configure the WinRM service so that Ansible can connect to it. There are two
|
||||
main components of the WinRM service that governs how Ansible can interface with
|
||||
the Windows host: the ``listener`` and the ``service`` configuration settings.
|
||||
|
||||
Details about each component can be read below, but the script
|
||||
`ConfigureRemotingForAnsible.ps1 <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_
|
||||
can be used to set up the basics. This script sets up both HTTP and HTTPS
|
||||
listeners with a self-signed certificate and enables the ``Basic``
|
||||
authentication option on the service.
|
||||
|
||||
To use this script, run the following in PowerShell:
|
||||
|
||||
.. code-block:: powershell
|
||||
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
|
||||
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
|
||||
|
||||
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
|
||||
|
||||
powershell.exe -ExecutionPolicy ByPass -File $file
|
||||
|
||||
There are different switches and parameters (like ``-EnableCredSSP`` and
|
||||
``-ForceNewSSLCert``) that can be set alongside this script. The documentation
|
||||
for these options are located at the top of the script itself.
|
||||
|
||||
.. Note:: The ConfigureRemotingForAnsible.ps1 script is intended for training and
|
||||
development purposes only and should not be used in a
|
||||
production environment, since it enables settings (like ``Basic`` authentication)
|
||||
that can be inherently insecure. Kerberos is considered a safer production setup. See :ref:`winrm_kerberos` for details.
|
||||
|
||||
|
||||
WinRM Listener
|
||||
--------------
|
||||
The WinRM services listens for requests on one or more ports. Each of these ports must have a
|
||||
@@ -467,7 +439,6 @@ this problems is to either:
|
||||
|
||||
See `KB4076842 <https://support.microsoft.com/en-us/help/4076842>`_ for more information on this problem.
|
||||
|
||||
|
||||
Windows SSH Setup
|
||||
`````````````````
|
||||
Ansible 2.8 has added an experimental SSH connection for Windows managed nodes.
|
||||
|
||||
@@ -631,9 +631,8 @@ The WinRM protocol considers the channel to be encrypted if using TLS over HTTP
|
||||
recommended option as it works with all authentication options, but requires
|
||||
a certificate to be created and used on the WinRM listener.
|
||||
|
||||
The ``ConfigureRemotingForAnsible.ps1`` creates a self-signed certificate and
|
||||
creates the listener with that certificate. If in a domain environment, ADCS
|
||||
can also create a certificate for the host that is issued by the domain itself.
|
||||
If in a domain environment, ADCS can create a certificate for the host that
|
||||
is issued by the domain itself.
|
||||
|
||||
If using HTTPS is not an option, then HTTP can be used when the authentication
|
||||
option is ``NTLM``, ``Kerberos`` or ``CredSSP``. These protocols will encrypt
|
||||
|
||||
@@ -7,6 +7,21 @@
|
||||
# the necessary changes to allow Ansible to connect, authenticate and
|
||||
# execute PowerShell commands.
|
||||
#
|
||||
# IMPORTANT: This script uses self-signed certificates and authentication mechanisms
|
||||
# that are intended for development environments and evaluation purposes only.
|
||||
# Production environments and deployments that are exposed on the network should
|
||||
# use CA-signed certificates and secure authentication mechanisms such as Kerberos.
|
||||
#
|
||||
# To run this script in Powershell:
|
||||
#
|
||||
# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
# $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
|
||||
# $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
|
||||
#
|
||||
# (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
|
||||
#
|
||||
# powershell.exe -ExecutionPolicy ByPass -File $file
|
||||
#
|
||||
# All events are logged to the Windows EventLog, useful for unattended runs.
|
||||
#
|
||||
# Use option -Verbose in order to see the verbose output messages.
|
||||
|
||||
@@ -7,6 +7,21 @@
|
||||
# the necessary changes to allow Ansible to connect, authenticate and
|
||||
# execute PowerShell commands.
|
||||
#
|
||||
# IMPORTANT: This script uses self-signed certificates and authentication mechanisms
|
||||
# that are intended for development environments and evaluation purposes only.
|
||||
# Production environments and deployments that are exposed on the network should
|
||||
# use CA-signed certificates and secure authentication mechanisms such as Kerberos.
|
||||
#
|
||||
# To run this script in Powershell:
|
||||
#
|
||||
# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
# $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
|
||||
# $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
|
||||
#
|
||||
# (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
|
||||
#
|
||||
# powershell.exe -ExecutionPolicy ByPass -File $file
|
||||
#
|
||||
# All events are logged to the Windows EventLog, useful for unattended runs.
|
||||
#
|
||||
# Use option -Verbose in order to see the verbose output messages.
|
||||
|
||||
Reference in New Issue
Block a user